Step 1: Enter the Issuer — this is the service name (e.g., "GitHub", "AWS", "MyCompany").
Step 2: Enter the Account Name — typically an email address or username.
Step 3: Either click the magic wand button to auto-generate a cryptographically secure Base32 secret key, or paste your own existing key.
Step 4: Choose your algorithm, digit count, and period (defaults: SHA1, 6 digits, 30s are the most compatible).
Step 5: Copy the generated URI or download the QR code image to share with your users.

The Base32 encoding uses only the characters A-Z and 2-7 (32 characters total), making it case-insensitive and avoiding visually ambiguous characters like "0", "1", and "8". TOTP authenticator apps decode this Base32 string into raw bytes to compute HMAC-based one-time passwords. A strong secret key should be at least 16 characters (80 bits) long, with 32 characters (160 bits) being the recommended standard for SHA1. Our generator creates cryptographically secure 32-character Base32 keys using the Web Crypto API.

The otpauth:// URI format is universally supported by all major authenticator applications:

• Google Authenticator (iOS & Android) — Full support
• Microsoft Authenticator — Full support with cloud backup
• Authy by Twilio — Multi-device sync support
• FreeOTP — Open-source, supports SHA256/SHA512
• Bitwarden Authenticator — Integrated with password manager
• 1Password — Built-in TOTP support
• LastPass Authenticator — Full support

For maximum compatibility, use SHA1 algorithm with 6 digits and 30-second period.

These refer to the hash algorithm used in the HMAC computation inside the TOTP algorithm:

SHA1 — Most common, supported by virtually all authenticator apps. Uses 160-bit hashes. Perfect for general use.
SHA256 — Stronger 256-bit hashing. Requires a longer secret key (≥32 chars recommended). Supported by FreeOTP, Bitwarden, and modern apps.
SHA512 — 512-bit hashing, highest security margin. Less widely supported. Use only if you know your authenticator app supports it.

For most use cases, SHA1 is perfectly secure when paired with a strong random secret key. The security of TOTP relies primarily on keeping the secret key secret, not on the hash algorithm strength.

After scanning the QR code with your authenticator app:

1. The app should display a 6-digit (or 8-digit) code that refreshes every 30 seconds (or your configured period).
2. Verify the code against your server-side TOTP implementation. Most backend libraries (like speakeasy for Node.js, pyotp for Python, or otp.net for .NET) can validate the generated OTP.
3. Check that the time on your device is synchronized (TOTP relies on accurate time).
4. Test at least 2-3 consecutive OTP codes to ensure consistency.

Pro tip: Always provide users with backup/recovery codes in case they lose access to their authenticator app.

Yes, this tool is safe:

• All secret key generation happens entirely in your browser using the crypto.getRandomValues() Web Crypto API — no data is sent to any server.
• The QR code image is generated via a secure HTTPS API call to api.qrserver.com. Only the encoded URI data is sent to generate the image; the API does not store your secrets.
• For maximum security, you can use this tool offline after the page loads, or self-host it.
• We never log, store, or transmit your secret keys. The page has no analytics that capture form input.

Best practice: Generate secrets in a trusted environment, store them securely (e.g., in a password manager or secrets vault), and transmit them to users over encrypted channels.

This tool currently generates TOTP (Time-based) URIs using the otpauth://totp/ format. For HOTP (HMAC-based counter), the URI would use otpauth://hotp/ with an additional counter parameter. While many concepts are the same, HOTP requires counter synchronization between the server and client. If you need HOTP support, you can manually modify the generated URI by changing totp to hotp and adding &counter=0 to the parameters. We may add dedicated HOTP support in a future update.